Microsoft Issues IE Patch To Address Zero-Day Threat

Microsoft issued a cumulative "out-of-band" security patch on Thursday for a bug in all versions of Internet Explorer.

The patch notably falls outside of Microsoft's monthly security update cycle. Microsoft is responding to a flaw that has enabled remote code execution (RCE) attacks, particularly on Google and other companies from hackers in China, as described last week.

The second patch is the big umbrella hotfix expected to quell the technical problem associated with the Google attack. It fixes all versions of IE, from IE 5 through IE 8, on all supported Windows OSes.

"We've reached a point where we have become numb to 'reports of limited attacks' when vulnerabilities are disclosed publicly," said Sheldon Malm, senior director of security strategy at Rapid7. "This [release] is a great example of how the research community helps to bring real customer needs and vendor actions together."

Both patches will require restarts of the OS to take effect, but they come at the right time.

"Because of these in-the-wild exploits and the amount of media and customer attention on this specific exploit, Microsoft was right in deciding that it was in their customers' best interest to issue this out-of-band patch," said Don Leatham, senior director of solutions and strategy at Lumension.

IE has been subject to patching of late, with the last zero-day bug fix seen in late November. Prior to this latest out-of-band release, Microsoft faced a potentially damaging backlash against the browser, with cabinet leadership in both France and Germany suggesting that people use other browsers than Internet Explorer.

Microsoft and security researchers have recommended upgrading the browser and using a Windows setting called data execution prevention (DEP) to better secure IE. However, Microsoft confirmed on Wednesday that all current versions of Internet Explorer contain a DEP bypass vulnerability, but that IE 6 is the only affected version reported so far. Despite that warning, Microsoft and many other security observers have suggested that DEP can help in stopping the exploit code.

IE 6 is still the most popular Microsoft Web browser many years after its release. More than 20 percent of all Web traffic is associated with IE 6 use, according to Net Applications, which tracks browser market share. Still, Microsoft's newer browsers aren't immune. Joshua Talbot, security intelligence manager at Symantec Security Response, said he is certain that "bad guys are working overtime to create reliable exploits for the other affected versions of Internet Explorer, namely 7 and 8."

The exploit appears to rely on social engineering techniques to take effect, such as directing the victim to a specially crafted Web site for attack.

"Based on our in-the-field detections, this security vulnerability has only been used in a very limited number of targeted attacks so far," Talbot explained. "However they appear to be very high profile attacks. The most likely attack vector used in the incidents seen thus far is targeted e-mails containing legitimate looking attachments or links to Web sites sent to high-level employees. When the attachment is opened, an exploit for the vulnerability springs into action and the computer becomes infected."

DEP is one factor in warding off attacks, but security becomes more effective when DEP is used with Address Space Layout Randomization (ASLR), according to Microsoft and researchers. Newer versions of the browser, such as IE 7 and IE 8, running on Windows Vista and Windows 7 are less vulnerable because they have ASLR.

In addition, Microsoft's newer OSes were designed with a better approach to security, according to Leatham.

"This security bug is a clear, real-world example of the superior security model implemented in Windows Vista and Windows 7," Leatham said. "This whole situation should be a wake-up call to organizations still running Windows XP to accelerate their migration plans."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.